New details have been revealed about the Lyceum group (aka Hexane), which was first spotted in 2019. Researchers have identified a new set of activities that indicate that the group targeted two entities in Tunisia, while also updating its arsenal.
What does the research say?
Kaspersky found that Lyceum has evolved its arsenal in the past few years and moved away from previously documented .NET malware to new versions written in C++.
- The new malware implants are categorized under two different variants—James and Kevin—after the names repeatedly appeared in the PDB paths of the malware samples.
- Both variants have similar custom C2 protocols tunneled over HTTP/DNS.
- Additionally, researchers spotted an unusual variant that did not include any mechanism for network communication. Probably that was used as proxy traffic between two internal network clusters.
- Moreover, the group used a PowerShell script created to steal credentials saved in browsers, along with a custom keylogger deployed on a few of the targeted systems.
A connection to DNSpionage
Similarities between Lyceum's recent attacks and the infamous DNSpionage campaign, a cluster of activity linked to the OilRig, have also been observed.
- Both the campaigns have similar geographical targeting and use DNS or fake websites to tunnel C2 data as a tactic.
- Additionally, researchers found similarities between lure documents spread by Lyceum in the past and those used in the DNSpionage campaign.
- The connection became more profound when common code structure and choices of variable names were detected.
Conclusion
Lyceum is expanding its attack scope, while also retooling its arsenal with new implants. Moreover, researchers suspect that the group will continue to be active, using new and updated malware and TTPs to carry out espionage activities across the Middle East.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/466e_shutterstock_693527392.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/60d1_shutterstock_1799416234.jpg)
